Gary Langston

F5 Networks, a major provider of application delivery and security solutions, has recently faced a critical cybersecurity breach involving a nation-state threat actor . Here's a comprehensive overview of the hack mitigation strategies , security incident details , and recommended actions for organizations using F5 BIG-IP devices. Summary of the F5 Security Incident Date of Discovery : August 9, 2025 Public Disclosure : October 15, 2025 Threat Actor : Nation-state affiliated group (suspected to be China-linked) Compromised Assets : Portions of BIG-IP source code Undisclosed vulnerabilities Customer configuration data for a subset of clients Risk Level : High – potential for supply chain attacks, credential theft, and lateral movement within networks. [arstechnica.com] Mitigation Strategies Recommended by CISA & F5 1. Immediate Actions Inventory all F5 devices : Identify hardware and virtual instances of BIG-IP, F5OS, BIG-IQ, etc. Disconnect end-of-support ...

  Remove Public Exposure of Port 3389 Never expose RDP directly to the internet. Use VPNs , Remote Desktop Gateway , or Azure Bastion to tunnel access securely. Implement IP allowlists and geo-fencing to restrict access to known locations. 2. Enforce Strong Authentication Enable Multi-Factor Authentication (MFA) with push-spam resistant methods (e.g., number matching, hardware tokens). Require Network Level Authentication (NLA) to validate users before session initiation. Pair NLA with TLS encryption to secure the handshake. 3. Apply Account Lockout Policies Set thresholds for failed login attempts and lockout durations to block brute-force bots. Use smart lockout features in Active Directory or Azure AD to reduce false positives. 4. Monitor and Alert on RDP Activity Watch for: Sudden spikes in failed logons Repeated login attempts across multiple usernames Logins from unusual geographies Use EDR tools that stitch session-level telemetry to detect “s...

  The recent vulnerability affecting Microsoft Defender for Endpoint (DFE) involves critical flaws in how the agent communicates with its cloud backend, potentially allowing attackers to bypass authentication and manipulate incident response processes. Key Vulnerabilities in Defender for Endpoint (DFE) Authentication Bypass : Attackers can impersonate the Defender agent using only the machine ID and tenant ID, which are accessible to low-privileged users via registry reads. This allows them to spoof commands and responses. Command Interception : By querying endpoints like /edr/commands/cnc , attackers can intercept or fake responses (e.g., falsely reporting a device as isolated), undermining actual security status. Certificate Pinning Circumvention : Researchers bypassed HTTPS protections by patching memory functions (e.g., CRYPT32!CertVerifyCertificateChainPolicy ) to inspect traffic in plaintext using tools like Burp Suite and WinDbg. Azure Blob Upload Exploits : Attackers c...

  Oracle has disclosed a critical vulnerability (CVE-2025-61882) affecting E-Business Suite versions 12.2.3 through 12.2.14. This pre-authentication remote code execution (RCE) flaw enables unauthenticated attackers to exploit multiple chained weaknesses — including SSRF, CRLF injection, authentication bypass, and unsafe XSLT processing — to gain full control of affected systems. Risk Assessment: Severity: Critical (CVSS 9.8) Exposure: Internet-facing Oracle EBS instances are at immediate risk Threat Activity: Active exploitation confirmed by threat intelligence sources, including Cl0p ransomware group Business Impact: Potential compromise of financial systems, data exfiltration, and operational disruption Recommended Actions: Immediate Patch Deployment: Apply Oracle’s July 2025 Critical Patch Update to all affected EBS environments. Network Segmentation: Restrict public access to Oracle EBS systems. Ensure they are isolated from internet-facing zones. Threat Monito...

 Its been a busy couple of weeks for Ransomware infections. Here is just a small list.   Charlotte-Mecklenburg School District, USA 10-06.2025 Comcast Corporation 10-04-2025 Insightin Health 10-04-2025 IKEA 10-03-2025 TransUnion 10-03-2025 Google AdSense 10-03-2025 Cisco 10-03-2025 Saks Fifth 10-03-2025 TripleA aaa.com 10-03-2025 Adidas 10-03-2025 Petco 10-03-2025 Instacart 10-03-2025 HBO Max 10-03-2025 Further details can be found below.  https://www.ransomware.live/

10-06-2025 By Qilin More information can be found here.  https://www.ransomware.live/id/TWVja2xlbmJ1cmcgQ291bnR5IFB1YmxpYyBTY2hvb2xzQHFpbGlu

  (MFA) Provider DDoS & Authentication Collapse: Incident Response Playbook Scenario Overview Situation: DDoS attack on (MFA) Provider causes global authentication failures and cascading account takeovers. Objective: Assess readiness, response coordination, and resilience. 1. Immediate Technical Response Activate Incident Response Plan (IRP): Declare a security incident. Initiate Crisis Management Team. Escalate to executive leadership and legal/compliance. Isolate Affected Systems: Segment networks to contain exposure. Disable/restrict access to systems dependent on (MFA) Provider authentication. Implement Emergency Authentication Controls: Switch to backup identity providers or local authentication. Enforce manual overrides for critical access (e.g., out-of-band verification, temporary credentials). Monitor for Account Takeover (A...